How to keep branch offices as secure as corporate HQ

Rickety branches

Your gleaming corporate headquarters, filled with brand-new computers, may be what’s on the front page of the company website, but we all know that in many large organizations, much of the day-to-day work happens in local branch offices, often small, poorly equipped, and understaffed. And of course, many companies and workers are embracing the flexibility offered by the internet to work at home full time. But these satellite worksites can end up causing big headaches for tech pros tasked with keeping company assets secure. We talked to a number of tech pros to find out more about the dangers—and the solutions.

Home offices need help

The home office is a security minefield. “Connected devices in the home likely have far fewer security controls associated with them,” says Andrew Hay, CISO of DataGravity. “Every organization should have policies, procedures, and guidelines for acceptable use of company resources when outside of the physical office walls.”

The humble home router is a particularly sensitive attack vector. “Companies should encourage remote employees to be vigilant about securing their routers,” says Tony Anscombe, security evangelist at Avast Software. “Users should change the default admin username, create a strong password, and make sure that their routers’ firmware is up to date.”

Your devices can betray you

It’s not just your routers that need updating, though: any device on your home network can be a backdoor into your work machine if you bring it home. DataGravity’s Hay notes that “I once spoke with an NCIS agent who conducted an investigation where a naval officer’s laptop that was compromised by way of infiltrating his daughter’s laptop.”

Danger at the (small) office

But if most people are at least aware that precautions need to be taken at home, small branch or remote offices can be even more of a danger—precisely because people assume they’re “at work” and thus protected. But that’s often not the case. Jon Clay, director of Global Threat Communications at Trend Micro, says corporate IT “needs to have visibility into what is occurring within the office—and that can be challenging in the main network, let alone a remote location.”

In many cases, branch offices are simply left to their own devices. “Most upper middle market and enterprise companies have great solutions and teams monitoring their large networks but only have firewalls and antivirus software in their branch offices,” says Scott B. Suhy, CEO at NetWatcher.

Staffing dilemma

Tim Cullen, a senior security architect at Adapture, outlines the problematic dynamic at play in trying to keep small offices properly staffed. “If you have an on-site tech, you have to pay a salary for someone who can work alone and unsupervised. This means a senior person to support a small office. That can seem like a waste of money on the company side and a waste of time on the tech person’s side, which in turn can lead to resentment on either side and usually ends up in high turnover for that position or the feeling of being extorted for a high salary.”

Make yourself at home

All this can lead to neglect. Joshua Crumbaugh, founding partner and CEO of PeopleSec, frequently tests human, physical, and cybersecurity at remote facilities, and often finds security standards lacking. “Computers at these remote facilities tend to be less protected than at corporate facilities,” he says. “For instance, I see missing BIOS protections, reuse of local administrator passwords, and live network jacks in common areas.”

But that’s not all. “Physical security is more relaxed there than at corporate locations,” he adds. “This makes it easy for an attacker to walk in and plug into networking equipment. I have personally walked right into many remote facilities and plugged into their local network without ever being noticed.”

Central command

To impose order, you’ll need to use software that can put security measures and policies in place remotely. “We would advise IT to deploy security solutions that are centrally managed and have templated provisioning, so they can be easily configured and deployed without error across all sites,” says Kumar Mehta, founder and CDO of Versa Networks. “This also makes ongoing security updates easy and timely to administer.”

Day-to-day maintenance of edge networks relies not just on remote access but automation. “Automate as much as possible and develop an infrastructure that allows full remote configurability and visibility into what is occurring within the remote location,” says Trend Micro’s Clay.

Rise of the machines

“For edge networks providing connectivity to remote offices and locations, out-of-band management and intelligent monitoring systems that oversee IT equipment offer increasingly robust security in the absence of technical staff,” says Marcio Saito, CTO of Opengear. And that applies to physical infrastructure as well, he says. “Intelligent edge network systems utilize an array of sensors to safeguard remote network hardware from both security and environmental threats, triggering alarms when doors are opened and equipment is at risk of being tampered with. Most businesses will also want to automatically manage power supplies or reroute connectivity if excessive heat, humidity, or other risk factors are present.”

Mobile automation

Similarly centralized control and automation needs to be imposed on mobile devices. “You can train outside staff all you want, have all the policies and procedures in place you need, but without some form of remote oversight and management of company mobile devices, there is a substantially greater risk that someone on the ‘outer edge’ of your workforce is a vulnerable entry point for malicious activity on your company’s network,” says Stephen Treglia, legal consultant at Absolute.

Tom DeSot, executive vice president and CIO at Digital Defense, concurs. “These solutions also can typically monitor what apps are installed on the device and can block the installation of these apps so that the device remains secure.”

Keep data safe and secure

Beyond automation, the experts we spoke to suggested a variety of specific technologies for keeping edge workers secure. David Martin, vice president of VeriFyle, puts a particular emphasis on encrypted communications: “It gets dicey when you start having people work remotely because you have to have a way to connect to the home system. This connection point is another point of weakness.”

Cloud-based solutions and apps are often used to knit remote offices into the larger enterprise, but Jeff Erramouspe, vice president and general manager at Spanning by Dell EMC, says that opens a data security can of worms. “Organizations need to have a SaaS data disaster recovery plan that includes an automated third-party backup and recovery solution,” he says.

Cloud of safety

But while cloud-based services have vulnerabilities, there are cloud- and network-based tools that can uniquely help lock down remote offices. “Businesses need to decimate their on-premise-only strategy,” says Chris RIchter, senior vice president of global security services at Level 3 Communications. “It can be scary to step away from a physical firewall, but if companies move their firewall to the network, via the cloud, they have the agility to protect their enterprise assets no matter where employees are located.”

Versa Networks’s Mehta agrees, touting “security functions integrated with the branch’s network functions—SD-Security built into the SD-WAN—which means provisioning and management is greatly improved, and central IT’s work is greatly reduced.”

Problems beyond tech

Technical solutions aren’t the only way to maintain security, or even the best. You want to establish a secure corporate culture—but branch offices are at a disadvantage here. “Formal communications can be delivered via online training and consumed in the same form no matter the location, so from a compliance standpoint you can say that all employees have ‘taken the training,'” says Tom Pendergast, chief strategist for security, privacy, and compliance for MediaPro. “But it’s the informal stuff—the conversations around the recent phishing campaign that went out, the social buzz about the new Internet of Things video, as well as the face-to-face interactions with management and with IT—that can really get lost in a satellite environment.”

Who’s there on the ground?

Alvaro Hoyos, chief information security officer at OneLogin, suggests that having someone in a branch office with cybersecurity as part of their brief can help create a security culture—even if this falls short of having a full-time IT employee, with all the problems we outlined earlier. “Deputizing someone who is local to be point on asset collection and distribution is helpful,” he says. “This employee does not need to be in IT specifically. It can be someone that is acting office manager or can belong to any team—sales, marketing, customer support, etc. You can prepare assets locally and deploy them to be distributed by this individual.”

Getting to the point

In the end, the risks involved in remote offices should perhaps focus IT security staff on what should’ve been their target all along. “Security professionals need to ensure the company assets remain secure, and to do this they need to worry less about the home environment and concentrate on the endpoint that connects to the company network,” says Avast’s Anscombe.

OneLogin’s Hoyos agrees. “IT security risks are inseparable from each end user, not rooted to the systems they use,” he says. “Your personnel can log in to company systems from various endpoints; the challenge is to secure the interactions between your systems and all authorized and unauthorized endpoints they are logging in from. In a lot of cases, remote offices are not introducing significant new risks, but rather highlighting existing ones for environments that leverage the cloud.”